Age | Commit message (Collapse) | Author | |
---|---|---|---|
2014-06-20 | new generic system for stunnel: just `include site_stunnel` and stunnel + ↵ | elijah | |
needed shorewall will be automatically set up. requires new leap_cli | |||
2014-05-02 | fix incorrect shorewall parameter name 'protocol', should be 'proto' | Micah Anderson | |
Change-Id: I9c6c798b174228d44d01b55f2a4aa19458e2da8d | |||
2014-04-29 | block DNS traffic at the OpenVPN gateway (#4164) | Micah Anderson | |
There are many different edge cases where mac and windows clients (and maybe android too) will revert to using a different DNS server than the one specified by openvpn. This is bad news for security reasons. The client is being designed so it doesn't leak DNS, however we don't want to put all of our eggs in one basket, so this will block outgoing port 53 (udp and tcp) on the gateway's firewall from any of the EIP interfaces (thus not blocking DNS access on the gateway itself). Change-Id: I84dcfec7fb591cf7e6b356b66b9721feda188177 | |||
2013-10-16 | vagrant: support other providers besides virtualbox (Bug #4158), Part 2 | varac | |
took out the last remaining virtualbox references | |||
2013-09-04 | make sure that the shorewall package is installed before trying to change ↵ | Micah Anderson | |
its configuration file (#3701) Change-Id: Ib2dad30d53e5bf7539762eb3683430b10eb875ed | |||
2013-08-31 | postfix enable submission port using starttls, so the client can transition ↵ | Micah Anderson | |
to the more restrictive TLS wrapper mode Change-Id: I2a1728788378d9a1b79155ddb9bb4b0464b16baa | |||
2013-08-29 | Make TLS-required smtps (465) be port for sending SMTP. This is preferred ↵ | Micah Anderson | |
over 25 because that is typically blocked, and we cannot force TLS on that port due to other MTAs not being configured for this century. We don't use submission (568) because that uses STARTTLS, and the STARTTLS banner can easily be stripped by an adversary. (#3604) . enable smtps (port 465) for client submission over TLS, and require that TLS is enabled . add 465 to the allowed open ports in the firewall . change the smtp-service.json to use 465 instead of 25 note: I did not use the 'use_smtps' parameter that is available in the postfix class because it added some options that we do not want/need. Change-Id: I0040eb2dff6008a1c830d59df9963eb83dc9ea02 | |||
2013-08-22 | install a preliminary firewall that blocks everything, except ssh for the ↵ | Micah Anderson | |
cases when shorewall doesn't properly come up, ensuring that it fails safe (#3339) Change-Id: Id4f0bf6cf25f420aa2ad67635b37ae95f54e3d38 | |||
2013-08-01 | make site_shorewall::soledad use the hiera value for the soledad port | Micah Anderson | |
Change-Id: I923f15de807f907d6246c3a83df1e59c39d4e920 | |||
2013-07-26 | Merge branch 'feature/soledad' into feature/leap_mx | Micah Anderson | |
2013-07-25 | initial soledad configuration | Micah Anderson | |
Change-Id: I19e91887c3f8e90764b4baef8c5e29e25658e190 | |||
2013-07-25 | shorewall rules for site_mx | varac | |
2013-06-12 | webapp should be available over http so a proper redirect can be done to https | Micah Anderson | |
without this rule, one just gets a 'site is unavailable' result Change-Id: I27b80a0044e9fe4e87e607412c8d0a089d4866a6 | |||
2013-05-16 | special casing for pistoncloud/openstack/ec2 | Micah Anderson | |
2013-05-02 | fixed dnat_rules | elijah | |
2013-04-30 | minor spacing changes | Micah Anderson | |
2013-04-30 | setup a site_config::params class that can be used to set some common ↵ | Micah Anderson | |
variables that are used in different places to start with we setup the $interface variable, based on logic as defined in #2213 change the various places that were looking up this value to use site_config::params::interface instead | |||
2013-04-04 | add Erlang Distributed Node Protocol Port json entry under bigcouch | Micah Anderson | |
setup ednp_server and ednp_client stunnels update couchdb puppet submodule to support configurable ednp_port parameter and general module cleanup pass ednp_port to couchdb setup so that it is configured in the vm.args template clarify in comments the difference between the epmd and ednp ports remove hard-coded erlang_vm_port variable and instead setup shorewall to allow for the stunnel connection only setup dnat rules for the ednp client connections | |||
2013-04-04 | rename bigcouch.port to more accurate bigcouch.epmd_port | Micah Anderson | |
2013-04-02 | shorewall: re-order dnat rule variables to match configuration file order | Micah Anderson | |
2013-04-02 | replace hard-coded port number with hiera determined one, manipulated to ↵ | Micah Anderson | |
remove the 'ip:' from the beginning in bigcouch replication client stunnels | |||
2013-04-02 | firewall: remove no longer needed epmd port | Micah Anderson | |
2013-04-02 | shorewall: | Micah Anderson | |
create a macro for the bigcouch replication server stunnel to enable these connections pulling bigcouch_replication_clients, bigcouch_replication_server_port from hiera create site_shorewall::couchdb::dnat and create_resources to properly setup DNAT for bigcouch_replication_clients | |||
2013-04-02 | remove unnecessary class inheritance | Micah Anderson | |
2013-04-02 | shorewall: add couch_server stunnel port to macro.leap_couchdb, this is ↵ | Micah Anderson | |
necessary for the stunnel to communicate | |||
2013-04-02 | start erlang vm on dedicated port so firewalling is easier | varac | |
2013-04-02 | added site_shorewall::couchdb::bigcouch | varac | |
bigcouch cluster protocol communicate via the fqdn of the neighbor hosts. So we need to bend all requests to <fqdn>:4369 to localhost:400x (which is the entry of an stunnel connection to the other neighbor) | |||
2013-04-02 | added site_shorewall::dnat to configure DNAT rules | varac | |
2013-04-02 | shorewall couchdb config: get open ports right | varac | |
2013-04-02 | working on stunnel for bigcouch clustering | varac | |
2013-03-17 | added support for "limited" service levels (although vpn is not yet actually ↵ | elijah | |
rate limited). | |||
2013-02-27 | openvpn -- added support for optional "free" rate-limited service via ↵ | elijah | |
special client certificates with the FREE prefix in the common name. | |||
2013-02-26 | missed another require => Package['shorewall'] on the file resources in ↵ | Micah Anderson | |
site_shorewall | |||
2013-02-12 | missed one require => Package['shorewall'] on of the file resources in ↵ | Micah Anderson | |
site_shorewall | |||
2013-02-12 | file resources that make changes to shorewall need to make sure that ↵ | Micah Anderson | |
shorewall is installed first (#1741) | |||
2013-02-12 | fixed shorewall is blocking api port (Bug #1735) | varac | |
2013-02-11 | duplicate shortwall service definitions now inclduded from services/* | varac | |
2013-02-09 | site_shorewall::monitor: allow port 80 + 443 | varac | |
2013-02-06 | allow outgoing traffic moved to site_shorewall::defaults | varac | |
2013-02-06 | allow port 80 to tor server | varac | |
2013-02-06 | configure shorewall for couchdb, tor, webapp | varac | |
2013-02-06 | allow all outgoing traffic | varac | |
2013-02-06 | Restructuring site_shorewall | varac | |
site_shorewall::defaults can be used on every host, it configures a basic firewall, which blocks everything from outside except ping + ssh, and allows outgoing traffic for http, git, dns. | |||
2013-01-30 | start shorewall on vagrant nodes too (#1467) | varac | |
2013-01-29 | fix variable name for re-ordered fact | Micah Anderson | |
2013-01-29 | setup special casing for vagrant/virtualbox | Micah Anderson | |
2013-01-29 | fix variable scoping | Micah Anderson | |
2013-01-29 | create a special case for vagrant machines that need to have both interfaces in | Micah Anderson | |
the net zone so we dont lock ourselves out during deploy, but also are able to access the internet | |||
2013-01-29 | enclose the variables in curly braces, as recommended by puppet-lint | Micah Anderson | |
2013-01-29 | add a new fact that provides a fact for each configured ip address, telling you | Micah Anderson | |
which interface has it (essentially the inverse of the ipaddress_${interface} fact). Switch the hiera lookups of the $interface, which was pulling from the .json to pull instead from the above fact, see #1547 and #1548 |